Starting today, Google supports Service Accounts, which provide certificate-based authentication for server-to-server interactions. This means, for example, that a request from a web application to Google Cloud Storage can be authenticated via a certificate instead of a shared key. Certificates offer better security properties than shared keys and passwords, largely because they are not human-readable or guessable.

Service accounts are currently supported by the following Google developer services:

Google Cloud Storage

Google Prediction API

Google URL Shortener

Google OAuth 2.0 Authorization Server

Google APIs Console

Google APIs Client Libraries for Python, Java, and PHP

Over time, more Google APIs and client libraries will be supported.

This feature is implemented as an OAuth 2.0 flow and is compliant with draft 25 of the OAuth 2.0 specification. An application implements the following steps to authenticate with a Service Account:

Generate a JSON structure.

Sign the JSON structure with a private key, and encode it as a JSON Web Token (JWT).

Send the JWT to Google’s OAuth 2.0 Authorization Server in exchange for an access token.

Send the access token to Google Cloud Storage or the Google Prediction API.

The Google APIs Client Libraries for Python, Java, and PHP wrap these steps into a few lines of code and abstract the error-prone signing and encoding operations from your applications. We strongly encourage you to use these libraries for this type of interaction. We will be expanding support to other client libraries (including Ruby and .NET). Library developers can find the specifics of the protocol in the OAuth 2.0 Service Accounts documentation.

As always, we welcome and appreciate feedback. Please post any questions or comments to the OAuth 2.0 Google group.

Justin Smith is a Google Product Manager and works on authentication and authorization technologies. He enjoys woodworking, cycling, country music, and the company of his wife and newborn daughter (not in that order).